Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

hypnosec writes "The Linux Foundation's UEFI secure boot pre-bootloader is still in the works, and has been modified substantially so that it allows any Linux version to boot through UEFI secure boot. The reason for modifying the pre-bootloader was that the current version of the loader wouldn't work with Gummiboot, which was designed to boot kernels using BootServices->LoadImage(). Further, the original pre-bootloader had been written using 'PE/Coff link loading to defeat the secure boot checks.' As it stands, anything run by the original pre-bootloader must also be link-loaded to defeat secure boot, and Gummiboot, which is not a link-loader, didn't work in this scenario. This is the reason a re-write of the pre-bootloader was required and now it supports booting of all versions of Linux." Also in UEFI news: Linus Torvalds announced today that the flaw which was bricking some Samsung laptops if booted into Linuxhas been dealt with.

Because the alternative is to sign with your own key and enter that into the UEFI firmware. Which you can do. The complaint from some parties is that users are too stupid to do so, so bootloaders 'must' be signed with an existing key.

The implementation in Samsungs UEFI shows some weird behavior. Error code EFI_INVALID_PARAMETER should only be returned, if one of the given pointers to variables is NULL and pointing to an invalid memory section. Samsungs implementation also throughs this error, if the given memory blocksize is not exactly 128 bytes, so for example (like the Linux-efivars module does) 1024 bytes. The Linux module does not expect the strange error code (it checks for NULL pointers itself) and does not report any UEFI variables, no boot entries, no nothing. The installer accepts that and installs the Linux boot entry into the first slot, where actually the boot entry for the setup is located - overwriting that entry! Setup is dead since Linux took its boot entry.

It does look like the Samsung implementation is doing weird things and Linux is doing weird things in return because it is expecting it to follow standards...

I don't know where people get that idea from. If you read the kernel people are just disabling the driver because the code is so utterly retarded. Samsung haven't done shit about it as is typical for Samsung.

Not implementing UEFI means the mobos can't be used in a production environment where they can receive the coveted "Windows 8 Ready" approval for millions of customers in the coming years. Continuing with the older BIOS system means they can easily boot alternative OSes for a few thousand enthusiast customers (who can in fact use UEFI anyway) but they lose the much bigger market. Decisions decisions...

Mobos are megacheap for what they do because of the numbers of each model that are built; a custom mobo with classic BIOS to specifically support Linux or other open OSes would cost hundreds of bucks per unit produced in limited quantities. At that point a cost-benefit analysis says "pay the damn Microsoft tax already!"

It is not written into the UEFI spec. In fact, the UEFI specification makes no such statements with respect to it being possible to disable secure boot, only how it is supposed to work. That was done deliberately.

The only reason you can even turn off secure boot on hardware now is because Microsoft caught shit for the first pass of their guidelines that left it up to OEMs whether or not users would be able to turn off secure boot. Had they left like that you can guarantee that Samsung et. al. would have locked every laptop and desktop they shipped with Windows 8 and you would never actually own your PC again.

I bet Samsung is more pissed that Microsoft changed it so they had to allow for unlocks than they are at their own developers.